New iFrame Rootkit on Linux – Read the dirty details

Linux users and developers alike can expect some trouble with a new rootkit on the move. This time, it’s working as an iFrame attack on HTTP servers. The sample itself is pretty dynamic overall, and has the ability to infect Linux successfully AND hide its presence on the system.

The attack is characteristic of a drive-by download scenario, in which the rootkit attempts to attack an HTTP server through iFrame-related injections. Now for the dirty details…

Attempts to ‘call’ modules in the file system by using set_http_injection_conf, start_get_command_web_injection_from_server_thread, cs:start_get_command_web_injection_from_server_value, hide_folder_and_files, hide_process_init, etc.

It currently works on Debian Squeezy kernel version 2.6.32-5-amd64 (at least it matches).

Unstripped coding size is 500K.

Some functions are not fully working, so some have assumed it is in development stages or not fully complete.